strepsirrhini/office-gobmx
9
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

cid#1608462 XML external entity processing enabled

Browse source 
and

cid#1608334 XML external entity processing enabled
cid#1608302 XML external entity processing enabled
cid#1608234 XML external entity processing enabled
cid#1608094 XML external entity processing enabled
cid#1607973 XML external entity processing enabled
cid#1607890 XML external entity processing enabled
cid#1607706 XML external entity processing enabled
cid#1607366 XML external entity processing enabled
cid#1607026 XML external entity processing enabled
cid#1606764 XML external entity processing enabled

Change-Id: I7894d335f244ed3ddbbe43d9bdbc2818065830f3
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/171461
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caolan.mcnamara@collabora.com>
This commit is contained in:
Caolán McNamara 2024-08-04 14:57:37 +01:00
parent 2610e15e9d
commit b5e2dc7367
8 changed files with 175 additions and 14 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
reportbuilder/java/org/libreoffice/report/pentaho/output/OfficeDocumentReportTarget.java
View file

@ -1020,6 +1020,7 @@ public abstract class OfficeDocumentReportTarget extends AbstractReportTarget
{ {
inputStream = getInputRepository().createInputStream("meta.xml"); inputStream = getInputRepository().createInputStream("meta.xml");
DocumentBuilderFactory dbFactory = DocumentBuilderFactory.newInstance(); DocumentBuilderFactory dbFactory = DocumentBuilderFactory.newInstance();
dbFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
DocumentBuilder dBuilder = dbFactory.newDocumentBuilder(); DocumentBuilder dBuilder = dbFactory.newDocumentBuilder();
Document document = dBuilder.parse(new InputSource(inputStream)); Document document = dBuilder.parse(new InputSource(inputStream));

25
scripting/java/com/sun/star/script/framework/container/XMLParserFactory.java
View file

@ -18,6 +18,8 @@
package com.sun.star.script.framework.container; package com.sun.star.script.framework.container;
import com.sun.star.script.framework.log.LogUtils;
import java.io.IOException; import java.io.IOException;
import java.io.InputStream; import java.io.InputStream;
import java.io.OutputStream; import java.io.OutputStream;
@ -29,6 +31,7 @@ import javax.xml.transform.TransformerException;
import javax.xml.transform.TransformerFactory; import javax.xml.transform.TransformerFactory;
import javax.xml.transform.dom.DOMSource; import javax.xml.transform.dom.DOMSource;
import javax.xml.transform.stream.StreamResult; import javax.xml.transform.stream.StreamResult;
import javax.xml.XMLConstants;
import org.w3c.dom.Document; import org.w3c.dom.Document;
@ -60,6 +63,26 @@ public class XMLParserFactory {
public DefaultParser() { public DefaultParser() {
factory = DocumentBuilderFactory.newInstance(); factory = DocumentBuilderFactory.newInstance();
String[] featuresToDisable = {
"http://xml.org/sax/features/external-general-entities",
"http://xml.org/sax/features/external-parameter-entities",
"http://apache.org/xml/features/nonvalidating/load-external-dtd"
};
for (String feature : featuresToDisable) {
try {
factory.setFeature(feature, false);
} catch (ParserConfigurationException e) {
LogUtils.DEBUG(LogUtils.getTrace(e));
}
}
try {
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
} catch (ParserConfigurationException e) {
LogUtils.DEBUG(LogUtils.getTrace(e));
}
} }
public Document parse(InputStream inputStream) throws IOException { public Document parse(InputStream inputStream) throws IOException {
@ -103,4 +126,4 @@ public class XMLParserFactory {
} }
} }
} }
} }

30
xmerge/source/xmerge/java/org/openoffice/xmerge/converter/dom/DOMDocument.java
View file

@ -31,6 +31,7 @@ import javax.xml.transform.TransformerFactory;
import javax.xml.transform.Transformer; import javax.xml.transform.Transformer;
import javax.xml.transform.stream.StreamResult; import javax.xml.transform.stream.StreamResult;
import javax.xml.transform.dom.DOMSource; import javax.xml.transform.dom.DOMSource;
import javax.xml.XMLConstants;
import org.w3c.dom.Node; import org.w3c.dom.Node;
import org.w3c.dom.Document; import org.w3c.dom.Document;
@ -43,9 +44,34 @@ import org.openoffice.xmerge.util.Debug;
public class DOMDocument public class DOMDocument
implements org.openoffice.xmerge.Document { implements org.openoffice.xmerge.Document {
private static DocumentBuilderFactory makeFactory() {
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
String[] featuresToDisable = {
"http://xml.org/sax/features/external-general-entities",
"http://xml.org/sax/features/external-parameter-entities",
"http://apache.org/xml/features/nonvalidating/load-external-dtd"
};
for (String feature : featuresToDisable) {
try {
factory.setFeature(feature, false);
} catch (ParserConfigurationException e) {
Debug.log(Debug.ERROR, "Exception when calling setFeature: ", e);
}
}
try {
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
} catch (ParserConfigurationException e) {
Debug.log(Debug.ERROR, "Exception when calling setFeature: ", e);
}
return factory;
}
/** Factory for {@code DocumentBuilder} objects. */ /** Factory for {@code DocumentBuilder} objects. */
private static DocumentBuilderFactory factory = private static DocumentBuilderFactory factory = makeFactory();
DocumentBuilderFactory.newInstance();
/** DOM {@code Document} of content.xml. */ /** DOM {@code Document} of content.xml. */
private Document contentDoc = null; private Document contentDoc = null;

4
xmerge/source/xmerge/java/org/openoffice/xmerge/converter/xml/EmbeddedXMLObject.java
View file

@ -193,7 +193,7 @@ public class EmbeddedXMLObject extends EmbeddedObject {
try { try {
if (builder == null) { if (builder == null) {
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
factory.setValidating(false); factory.setValidating(false);
builder = factory.newDocumentBuilder(); builder = factory.newDocumentBuilder();
} }
@ -277,4 +277,4 @@ public class EmbeddedXMLObject extends EmbeddedObject {
root.appendChild(objectNode); root.appendChild(objectNode);
} }
} }

32
xmerge/source/xmerge/java/org/openoffice/xmerge/converter/xml/OfficeDocument.java
View file

@ -35,6 +35,7 @@ import java.util.HashMap;
import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.ParserConfigurationException; import javax.xml.parsers.ParserConfigurationException;
import javax.xml.XMLConstants;
import org.w3c.dom.Node; import org.w3c.dom.Node;
import org.w3c.dom.Element; import org.w3c.dom.Element;
@ -58,9 +59,34 @@ import org.openoffice.xmerge.util.Debug;
public abstract class OfficeDocument public abstract class OfficeDocument
implements org.openoffice.xmerge.Document, OfficeConstants { implements org.openoffice.xmerge.Document, OfficeConstants {
private static DocumentBuilderFactory makeFactory() {
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
String[] featuresToDisable = {
"http://xml.org/sax/features/external-general-entities",
"http://xml.org/sax/features/external-parameter-entities",
"http://apache.org/xml/features/nonvalidating/load-external-dtd"
};
for (String feature : featuresToDisable) {
try {
factory.setFeature(feature, false);
} catch (ParserConfigurationException e) {
Debug.log(Debug.ERROR, "Exception when calling setFeature: ", e);
}
}
try {
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
} catch (ParserConfigurationException e) {
Debug.log(Debug.ERROR, "Exception when calling setFeature: ", e);
}
return factory;
}
/** Factory for {@code DocumentBuilder} objects. */ /** Factory for {@code DocumentBuilder} objects. */
private static DocumentBuilderFactory factory = private static DocumentBuilderFactory factory = makeFactory();
DocumentBuilderFactory.newInstance();
/** DOM {@code Document} of content.xml. */ /** DOM {@code Document} of content.xml. */
private Document contentDoc = null; private Document contentDoc = null;
@ -642,7 +668,7 @@ public abstract class OfficeDocument
write(os); write(os);
} else { } else {
try { try {
DocumentBuilderFactory builderFactory = DocumentBuilderFactory.newInstance(); DocumentBuilderFactory builderFactory = makeFactory();
DocumentBuilder builder= builderFactory.newDocumentBuilder(); DocumentBuilder builder= builderFactory.newDocumentBuilder();
DOMImplementation domImpl = builder.getDOMImplementation(); DOMImplementation domImpl = builder.getDOMImplementation();
domImpl.createDocumentType("office:document","-//OpenOffice.org//DTD OfficeDocument 1.0//EN",null); domImpl.createDocumentType("office:document","-//OpenOffice.org//DTD OfficeDocument 1.0//EN",null);

32
xmerge/source/xmerge/java/org/openoffice/xmerge/converter/xml/xslt/DocumentDeserializerImpl.java
View file

@ -25,6 +25,7 @@ import java.util.Iterator;
import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.transform.Source; import javax.xml.transform.Source;
import javax.xml.transform.Transformer; import javax.xml.transform.Transformer;
import javax.xml.transform.TransformerException; import javax.xml.transform.TransformerException;
@ -33,6 +34,7 @@ import javax.xml.transform.URIResolver;
import javax.xml.transform.dom.DOMSource; import javax.xml.transform.dom.DOMSource;
import javax.xml.transform.stream.StreamResult; import javax.xml.transform.stream.StreamResult;
import javax.xml.transform.stream.StreamSource; import javax.xml.transform.stream.StreamSource;
import javax.xml.XMLConstants;
import org.openoffice.xmerge.ConvertData; import org.openoffice.xmerge.ConvertData;
import org.openoffice.xmerge.ConvertException; import org.openoffice.xmerge.ConvertException;
@ -57,6 +59,32 @@ public final class DocumentDeserializerImpl
private final ConvertData cd; private final ConvertData cd;
private final PluginFactoryImpl pluginFactory; private final PluginFactoryImpl pluginFactory;
private static DocumentBuilderFactory makeFactory() {
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
String[] featuresToDisable = {
"http://xml.org/sax/features/external-general-entities",
"http://xml.org/sax/features/external-parameter-entities",
"http://apache.org/xml/features/nonvalidating/load-external-dtd"
};
for (String feature : featuresToDisable) {
try {
factory.setFeature(feature, false);
} catch (ParserConfigurationException e) {
Debug.log(Debug.ERROR, "Exception when calling setFeature: ", e);
}
}
try {
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
} catch (ParserConfigurationException e) {
Debug.log(Debug.ERROR, "Exception when calling setFeature: ", e);
}
return factory;
}
/** /**
* Constructor that assigns the given {@code ConvertData} to this object. * Constructor that assigns the given {@code ConvertData} to this object.
* *
@ -93,7 +121,7 @@ public final class DocumentDeserializerImpl
domDoc = docOut.getContentDOM(); domDoc = docOut.getContentDOM();
baos = transform(domDoc); baos = transform(domDoc);
sxwDoc.initContentDOM(); sxwDoc.initContentDOM();
DocumentBuilderFactory dFactory = DocumentBuilderFactory.newInstance(); DocumentBuilderFactory dFactory = makeFactory();
dFactory.setNamespaceAware(true); dFactory.setNamespaceAware(true);
DocumentBuilder dBuilder = dFactory.newDocumentBuilder(); DocumentBuilder dBuilder = dFactory.newDocumentBuilder();
sxwDoc.setContentDOM(dBuilder.parse(new ByteArrayInputStream(baos.toByteArray()))); sxwDoc.setContentDOM(dBuilder.parse(new ByteArrayInputStream(baos.toByteArray())));
@ -135,7 +163,7 @@ public final class DocumentDeserializerImpl
ConverterInfo ci = pluginFactory.getConverterInfo(); ConverterInfo ci = pluginFactory.getConverterInfo();
ByteArrayOutputStream baos= new ByteArrayOutputStream(); ByteArrayOutputStream baos= new ByteArrayOutputStream();
try{ try{
DocumentBuilderFactory dFactory = DocumentBuilderFactory.newInstance(); DocumentBuilderFactory dFactory = makeFactory();
dFactory.setNamespaceAware(true); dFactory.setNamespaceAware(true);
DocumentBuilder dBuilder = dFactory.newDocumentBuilder(); DocumentBuilder dBuilder = dFactory.newDocumentBuilder();

35
xmerge/source/xmerge/java/org/openoffice/xmerge/converter/xml/xslt/DocumentSerializerImpl.java
View file

@ -32,6 +32,7 @@ import org.openoffice.xmerge.ConvertData;
import org.openoffice.xmerge.ConvertException; import org.openoffice.xmerge.ConvertException;
import org.openoffice.xmerge.DocumentSerializer; import org.openoffice.xmerge.DocumentSerializer;
import org.openoffice.xmerge.converter.dom.DOMDocument; import org.openoffice.xmerge.converter.dom.DOMDocument;
import org.openoffice.xmerge.util.Debug;
import org.openoffice.xmerge.util.registry.ConverterInfo; import org.openoffice.xmerge.util.registry.ConverterInfo;
import org.openoffice.xmerge.converter.xml.OfficeConstants; import org.openoffice.xmerge.converter.xml.OfficeConstants;
@ -47,6 +48,9 @@ import javax.xml.transform.Source;
import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.XMLConstants;
/** /**
* Xslt implementation of {@code org.openoffice.xmerge.DocumentSerializer} * Xslt implementation of {@code org.openoffice.xmerge.DocumentSerializer}
@ -65,6 +69,32 @@ public final class DocumentSerializerImpl
private final PluginFactoryImpl pluginFactory; private final PluginFactoryImpl pluginFactory;
private static DocumentBuilderFactory makeFactory() {
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
String[] featuresToDisable = {
"http://xml.org/sax/features/external-general-entities",
"http://xml.org/sax/features/external-parameter-entities",
"http://apache.org/xml/features/nonvalidating/load-external-dtd"
};
for (String feature : featuresToDisable) {
try {
factory.setFeature(feature, false);
} catch (ParserConfigurationException e) {
Debug.log(Debug.ERROR, "Exception when calling setFeature: ", e);
}
}
try {
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
} catch (ParserConfigurationException e) {
Debug.log(Debug.ERROR, "Exception when calling setFeature: ", e);
}
return factory;
}
/** /**
* Constructor. * Constructor.
* *
@ -97,8 +127,7 @@ public final class DocumentSerializerImpl
Node offnode = domDoc.getDocumentElement(); Node offnode = domDoc.getDocumentElement();
if (!(offnode.getNodeName()).equals("office:document")) { if (!(offnode.getNodeName()).equals("office:document")) {
try { try {
DocumentBuilderFactory builderFactory = DocumentBuilderFactory DocumentBuilderFactory builderFactory = makeFactory();
.newInstance();
DocumentBuilder builder = builderFactory.newDocumentBuilder(); DocumentBuilder builder = builderFactory.newDocumentBuilder();
DOMImplementation domImpl = builder.getDOMImplementation(); DOMImplementation domImpl = builder.getDOMImplementation();
DocumentType docType = domImpl.createDocumentType( DocumentType docType = domImpl.createDocumentType(
@ -231,7 +260,7 @@ public final class DocumentSerializerImpl
ByteArrayOutputStream baos = new ByteArrayOutputStream(); ByteArrayOutputStream baos = new ByteArrayOutputStream();
try { try {
DocumentBuilderFactory dFactory = DocumentBuilderFactory.newInstance(); DocumentBuilderFactory dFactory = makeFactory();
dFactory.setNamespaceAware(true); dFactory.setNamespaceAware(true);
DocumentBuilder dBuilder = dFactory.newDocumentBuilder(); DocumentBuilder dBuilder = dFactory.newDocumentBuilder();

30
xmerge/source/xmerge/java/org/openoffice/xmerge/util/registry/ConverterInfoReader.java
View file

@ -21,9 +21,11 @@ package org.openoffice.xmerge.util.registry;
import java.io.*; import java.io.*;
import java.util.*; import java.util.*;
import java.util.jar.*; import java.util.jar.*;
import org.openoffice.xmerge.util.Debug;
import org.xml.sax.*; import org.xml.sax.*;
import org.w3c.dom.*; import org.w3c.dom.*;
import javax.xml.parsers.*; import javax.xml.parsers.*;
import javax.xml.XMLConstants;
import java.net.URL; import java.net.URL;
import java.net.JarURLConnection; import java.net.JarURLConnection;
@ -49,6 +51,32 @@ public class ConverterInfoReader {
private final Document document; private final Document document;
private final ArrayList<ConverterInfo> converterInfoList; private final ArrayList<ConverterInfo> converterInfoList;
private static DocumentBuilderFactory makeFactory() {
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
String[] featuresToDisable = {
"http://xml.org/sax/features/external-general-entities",
"http://xml.org/sax/features/external-parameter-entities",
"http://apache.org/xml/features/nonvalidating/load-external-dtd"
};
for (String feature : featuresToDisable) {
try {
factory.setFeature(feature, false);
} catch (ParserConfigurationException e) {
Debug.log(Debug.ERROR, "Exception when calling setFeature: ", e);
}
}
try {
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
} catch (ParserConfigurationException e) {
Debug.log(Debug.ERROR, "Exception when calling setFeature: ", e);
}
return factory;
}
/** /**
* Constructor. * Constructor.
* *
@ -92,7 +120,7 @@ public class ConverterInfoReader {
// Get the DOM builder and build the document. // Get the DOM builder and build the document.
DocumentBuilderFactory builderFactory = DocumentBuilderFactory.newInstance(); DocumentBuilderFactory builderFactory = makeFactory();
//DTD validation //DTD validation